DO NOT ENTER: /F.S./ 



10723160 -GAU: 2165 



12/12/2008 

IN THE CLAIMS 

1 . (Currently amended) A method of generating a representation of an access control list, the 
representation being utilizable in a processor, the method comprising the steps of: 

determining a plurality of rules of the access control list, each of at least a subset of 
the rules having a plurality of fields and a corresponding action; and 

processing the rules to generate a multi-level tree representation of the access control 
list, each of one or more of the levels of the tree representation being associated with a 
corresponding one of the fields; 

wherein at least one level of the tree representation comprises a plurality of nodes, 
with two or more of the nodes of that level having a common subtree, the tree representation 
including only a single copy of that subtree, the subtree comprising at least one node that is not a 
leaf node of the tree representation; 

the tree representation being characterizable as a directed graph in which each of the 
two nodes having the common subtree points to the single copy of the common subtree; 

wherein for at least a given level of the tree representation that corresponds to a field 
of a rule of the access control list, a master list of nodes is maintained, at least a given such node 
comprising information characterizing one or more field values associated with that node, one or 
more subtree pointers for that node, and a reference count indicating how many ancestor nodes are 
pointing to that node; 

wherein the tree representation is generated by sequentially processing the rules of 
the access control list, the processing for a given rule comprising applying values of fields of the 
given rule to one or more existing nodes of the tree representation, and wherein when a particular 
value of a field of the given rule is applied to a given node, a copy is made of the node, the field 
value is applied to the copied node, and the resultant updated node is added to the master list of the 
corresponding level ; and 

wherein the updated node is compared with other nodes of the master list and if a 
duplicate node is found, the copied node is deleted and a pointer to the duplicate node is provided to 
an ancestor node that points to the given node, a subtree pointer of the ancestor node is updated to 
the duplicate node pointer, a reference count of the duplicate node now pointed to by the ancestor 
node is incremented and a reference count of the given node previously pointed to by the ancestor 
node is decremented . 
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2. (Original) The method of claim 1 wherein the common subtree is implemented at least in 
part as a matching table. 

3. (Original) The method of claim 1 wherein the plurality of fields comprises at least first and 
second fields, the first field comprising a source address field and the second field comprising a 
destination address field. 

4. (Original) The method of claim 1 wherein a final level of the tree representation comprises 
a plurality of leaf nodes, each associated with one of the actions of the plurality of rules. 

5. (Original) The method of claim 1 wherein the at least one level of the tree representation 
comprises a root level of the tree representation. 

6. (Original) The method of claim 5 wherein a second level of the tree representation 
includes a plurality of nodes, each being associated with a subtree of a given one of the plurality of 
nodes of the root level of the tree representation. 

7. (Original) The method of claim 1 wherein for each level of the tree representation that 
corresponds to a field of a rule of the access control list, a master list of nodes is maintained, each 
node comprising at least one of information characterizing one or more field values associated with 
that node, one or more subtree pointers for that node, and a reference count indicating how many 
ancestor nodes are pointing to that node. 

8. (Canceled) 

9. (Canceled) 

1 0. (Currently amended) The method of claim [[9]] I wherein if a duplicate node is found in 
the master list, that duplicate node is moved to an initial position in the master list. 
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1 1 . (Previously presented) The method of claim 1 wherein for each node in the master list, a 
copy pointer is maintained, and wherein when a copied node is compared to the master list and a 
duplicate node is found, the copied node is added as a copy to the master list for use in conjunction 
with the processing of a subsequent rule. 

12. (Previously presented) The method of claim 1 wherein for each node in the master list, a 
signature is maintained in order to facilitate node comparisons, a full comparison of node subtrees 
being performed only if a match is obtained between node signatures. 

13. (Original) The method of claim 12 wherein the signature for a given node is generated as 
a function of at least one of a field value and a subtree pointer. 

14. (Original) The method of claim 1 wherein the corresponding actions include at least an 
accept action and a deny action. 

15. (Original) The method of claim 1 further including the step of storing at least a portion of 
the tree representation in memory circuitry accessible to the processor. 

16. (Original) The method of claim 1 further including the step of utilizing the stored tree 
representation to perform an access control list based function in the processor. 

17. (Original) The method of claim 16 wherein the access control list based function 
comprises packet filtering. 

18. (Currently amended) An apparatus configured for performing one or more processing 
operations utilizing a representation of an access control list, the access control list comprising a 
plurality of rules, each of at least a subset of the rules having a plurality of fields and a 
corresponding action, the apparatus comprising: 

a processor having memory circuitry associated therewith; 
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the memory circuitry being configured for storing at least a portion of a multi-level 
tree representation of the access control list, each of one or more of the levels of the tree 
representation being associated with a corresponding one of the fields; 

the processor being operative to utilize the stored tree representation to perform an 
access control list based function; 

wherein at least one level of the tree representation comprises a plurality of nodes, 
with two or more of the nodes having a common subtree, the tree representation including only a 
single copy of that subtree, the subtree comprising at least one node that is not a leaf node of the tree 
representation; 

the tree representation being characterizable as a directed graph in which each of the 
two nodes having the common subtree points to the single copy of the common subtree; 

wherein for at least a given level of the tree representation that corresponds to a field 
of a rule of the access control list, a master list of nodes is maintained, at least a given such node 
comprising information characterizing one or more field values associated with that node, one or 
more subtree pointers for that node, and a reference count indicating how many ancestor nodes are 
pointing to that node; 

wherein the tree representation is generated by sequentially processing the rules of 
the access control list, the processing for a given rule comprising applying values of fields of the 
given rule to one or more existing nodes of the tree representation, and wherein when a particular 
value of a field of the given rule is applied to a given node, a copy is made of the node, the field 
value is applied to the copied node, and the resultant updated node is added to the master list of the 
corresponding level ; and 

wherein the updated node is compared with other nodes of the master list and if a 
duplicate node is found, the copied node is deleted and a pointer to the duplicate node is provided to 
an ancestor node that points to the given node, a subtree pointer of the ancestor node is updated to 
the duplicate node pointer, a reference count of the duplicate node now pointed to by the ancestor 
node is incremented and a reference count of the given node previously pointed to by the ancestor 
node is decremented . 

1 9. (Original) The apparatus of claim 1 8 wherein the memory circuitry comprises at least one 
of internal memory and external memory of the processor. 
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20. (Currently amended) An article of manufacture comprising a machine-readable storage 
medium having program code stored thereon, the program code generating a representation of an 
access control list, the representation being utilizable in a processor, wherein the program code when 
executed implements the steps of: 

determining a plurality of rules of the access control list, each of at least a subset of 
the rules having a plurality of fields and a corresponding action; and 

processing the rules to generate a multi-level tree representation of the access control 
list, each of one or more of the levels of the tree representation corresponding to a respective one of 
the fields; 

wherein at least one level of the tree representation comprises a plurality of nodes, 
with two or more of the nodes of that level having a common subtree, the tree representation 
including only a single copy of that subtree, the subtree comprising at least one node that is not a 
leaf node of the tree representation; 

the tree representation being characterizable as a directed graph in which each of the 
two nodes having the common subtree points to the single copy of the common subtree; 

wherein for at least a given level of the tree representation that corresponds to a field 
of a rule of the access control list, a master list of nodes is maintained, at least a given such node 
comprising information characterizing one or more field values associated with that node, one or 
more subtree pointers for that node, and a reference count indicating how many ancestor nodes are 
pointing to that node; 

wherein the tree representation is generated by sequentially processing the rules of 
the access control list, the processing for a given rule comprising applying values of fields of the 
given rule to one or more existing nodes of the tree representation, and wherein when a particular 
value of a field of the given rule is applied to a given node, a copy is made of the node, the field 
value is applied to the copied node, and the resultant updated node is added to the master list of the 
corresponding level ; and 

wherein the updated node is compared with other nodes of the master list and if a 
duplicate node is found, the copied node is deleted and a pointer to the duplicate node is provided to 
an ancestor node that points to the given node, a subtree pointer of the ancestor node is updated to 
the duplicate node pointer, a reference count of the duplicate node now pointed to by the ancestor 
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node is incremented and a reference count of the given node previously pointed to by the ancestor 
node is decremented . 
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